Privacy Policy

This Privacy Policy explains how Twomiah Software Ventures ("Twomiah," "we," "us," or "our"), located in Eau Claire, Wisconsin, collects, uses, discloses, and protects information when you use the Twomiah platform, Twomiah Ads, and any related services (collectively, the "Services"). By using our Services, you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of information depending on how you interact with our Services:

Account and Business Information

• Full name, email address, and phone number
• Business name, address, industry, and company size
• Job title or role within your organization
• Account credentials (passwords are stored as salted hashes and are never stored in plaintext)

Payment Information

• Billing name and address
• Credit card or payment method details (processed and stored by Stripe; we do not store full card numbers on our servers)
• Subscription plan, billing cycle, and transaction history

Platform Usage Data

• CRM data you enter, including contacts, jobs, quotes, invoices, schedules, and documents
• Communication logs such as SMS messages sent through the platform via Twilio
• Call recordings and transcriptions when you use AI Receptionist or Call Tracking features
• Files, photos, and documents you upload

Advertising Account Data (Twomiah Ads)

• Meta (Facebook/Instagram) ad account IDs, campaign data, and performance metrics accessed through authorized API connections when you connect your own Meta ad account
• Google Ads campaign data and performance metrics for campaigns we operate on your behalf. For Google Ads, Twomiah acts as your agency of record: we create a dedicated Google Ads child account for you inside our own Google Ads manager account (MCC) and access campaign data via our own developer token and credentials. You do not connect your own Google Ads account.
• Ad creative content, audience targeting parameters, and budget allocations you configure
• Prepay ad balance and ledger of top-ups and spend reconciliation for Twomiah Ads clients on our managed Google Ads billing model

Technical and Device Information

• IP address, browser type, operating system, and device identifiers
• Pages visited, features used, and session duration
• Referring URLs and general geographic location derived from IP address

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the Services — including your CRM, website, customer portal, scheduling, invoicing, and all other platform features
• Manage advertising campaigns — create, optimize, and report on Meta and Google ad campaigns through Twomiah Ads on your behalf
• Process payments — charge subscription fees, process one-time purchases, and manage billing through Stripe
• Send transactional communications — deliver password resets, invoice notifications, appointment confirmations, and other service-related emails through SendGrid
• Enable SMS and voice features — send and receive text messages, process call recordings, and power the AI Receptionist through Twilio
• Improve the platform — analyze usage patterns to fix bugs, improve performance, and develop new features
• Provide customer support — respond to your support tickets, troubleshoot issues, and assist with onboarding
• Ensure security — detect and prevent fraud, unauthorized access, and abuse of the platform

We do not sell your personal information. We do not use your data to build advertising profiles for third-party advertisers.

3. Advertising Data Use (Twomiah Ads)

Google Ads — Agency of Record model. For Google Ads, Twomiah operates a Google Ads manager account (MCC) and creates a dedicated child account for each Twomiah Ads client under that MCC. We access the Google Ads API through our own developer token and credentials — you do not connect your own Google account and never see a Google consent screen. By using Twomiah Ads, you authorize Twomiah to act as your agent for the purpose of creating, managing, optimizing, and reporting on Google Ads campaigns on your behalf.

Data retrieved from the Google Ads API (campaign-level and ad-level metrics for child accounts we operate for you) is used solely to: (a) display performance to you in your dashboard; (b) power automated optimizations of your specific campaigns; (c) generate AI-powered creative variants and recommendations tailored to your own performance history; and (d) reconcile spend against your prepay balance. We do not sell Google Ads data, use it for any advertising purpose outside operating your campaigns, use it to train machine learning models, or share it across clients. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Meta Ads — Connected account model. For Meta (Facebook/Instagram) advertising, when you connect your own Meta ad account to Twomiah Ads, we access your ad data through Meta's Marketing API only with your explicit authorization and only to the extent necessary to create, manage, optimize, and report on campaigns you have requested. When you disconnect your Meta account from Twomiah Ads, we stop accessing your Meta ad platform data.

Historical performance reports and creative generated during your use of the service are retained in your Twomiah account and exportable on request, unless you request deletion.

4. Third Parties We Share Data With

We share information with the following third-party service providers, solely to operate the Services. These providers are contractually bound to use your data only for the purposes we specify:

• Stripe — payment processing, subscription management, and billing. Stripe receives your payment method details, billing address, and transaction amounts. Stripe Privacy Policy
• Twilio — SMS messaging, voice calls, call recording, and phone number provisioning. Twilio processes phone numbers, message content, and call audio. Twilio Privacy Policy
• SendGrid (Twilio) — transactional and notification emails. SendGrid receives recipient email addresses, sender information, and email content. SendGrid Privacy Policy
• Supabase — database hosting and authentication infrastructure for platform-hosted (SaaS) customers. Supabase stores the data you enter into your CRM. Supabase Privacy Policy
• Meta Platforms (Facebook/Instagram) — when you connect your Meta ad accounts to Twomiah Ads, we access your ad data through Meta's Marketing API to manage campaigns. Meta Privacy Policy
• Google (Google Ads) — Twomiah operates Google Ads campaigns for Twomiah Ads clients through a Google Ads manager account (MCC) owned by Twomiah. A dedicated child account is created for each client under our MCC. We access the Google Ads API using our own developer token and credentials; clients do not connect their own Google account. Google Privacy Policy
• OpenAI — call transcription and summarization for the AI Receptionist feature. Audio recordings and text are sent to OpenAI's Whisper and GPT APIs for processing. OpenAI does not use data submitted through our API for model training. OpenAI Privacy Policy
• Render — application hosting and deployment. Render hosts the servers that run your CRM and website. Render Privacy Policy
• GitHub — source code repository hosting for deployed customer applications. GitHub Privacy Policy

We may also disclose information when required by law, in response to valid legal process, or to protect the rights, property, or safety of Twomiah, our customers, or the public.

5. How We Protect Your Data

We implement multiple layers of security to protect your information:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS). API calls to third-party services are also encrypted in transit.
• Encryption at rest — databases are encrypted at rest using AES-256 encryption provided by our infrastructure providers.
• Isolated per-tenant databases — each customer's CRM data is stored in a dedicated, isolated database instance. Your data is never commingled with another customer's data in the same database.
• Password security — user passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
• Access controls — role-based permissions ensure that only authorized users within your organization can access sensitive data. Our internal team access is limited to what is necessary for support and operations.
• Token-based authentication — API access uses short-lived JWT tokens with automatic rotation of refresh tokens.

While we take commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• Authentication cookies — essential cookies that keep you logged into the platform and maintain your session. These are strictly necessary for the Services to function.
• Preference cookies — store your display preferences such as dark mode/light mode settings and sidebar state.
• Analytics cookies — help us understand how the platform is used, which features are most popular, and where users encounter issues. We use this data to improve the Services.

We do not use third-party advertising trackers on the Twomiah platform. We do not serve ads to you within the platform or sell cookie data to third parties.

Most browsers allow you to control cookies through their settings. Disabling essential cookies may prevent you from logging in or using the Services.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Services. Specifically:

• Account data — retained for the duration of your subscription and for 90 days after account cancellation, unless you request earlier deletion.
• CRM and business data — retained for the duration of your subscription. Upon cancellation, data is available for export for 90 days, after which it is permanently deleted.
• Call recordings and transcriptions — retained according to your account settings. You may delete recordings at any time through the platform.
• Payment records — retained as required for tax, accounting, and legal compliance purposes, typically for 7 years.
• Server logs — retained for up to 90 days for security and debugging purposes.

Self-hosted customers who purchase a license and deploy on their own infrastructure are responsible for their own data retention and deletion.

8. Your Rights

You have the following rights regarding your personal information:

• Access — you can request a copy of the personal data we hold about you. Most of your data is accessible directly through the platform at any time.
• Correction — you can update your personal information directly in your account settings, or contact us to correct inaccurate data.
• Deletion — you can request that we delete your personal data. We will comply within 30 days, except where we are required to retain data for legal or compliance reasons.
• Data export — you can export your CRM data, contacts, invoices, and other business data through the platform's built-in export features.
• Opt out of marketing communications — you can unsubscribe from promotional emails using the unsubscribe link in any marketing email, or by contacting us. This does not affect transactional emails necessary for the Services.
• Revoke ad account access — you can disconnect your Meta ad account from Twomiah Ads at any time through the integrations settings page. For Google Ads, because Twomiah operates campaigns on your behalf under our own manager account, revoking our authority to advertise for you is handled by terminating Twomiah Ads service, which pauses all of your campaigns.

To exercise any of these rights, email us at support@twomiah.com with the subject line "Privacy Request." We will respond within 30 days.

9. Children's Privacy

The Services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice in the platform at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was most recently revised.

11. Contact Us

If you have questions about this Privacy Policy, your data, or our privacy practices, contact us at:

Twomiah Software Ventures
Eau Claire, WI
support@twomiah.com